This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
These risks may be mitigated in a variety of ways. Set up a series of prevention methods directed at specific attacks to mitigate threats against data security, privacy, authentication and physical device security for network, workstations, servers and other devices. These methods may include hardware and software firewalls, security policies and standards, locks management, location awareness of devices, updating, monitoring, and maintenance of hardware and software as needed. Security policy risks may be mitigated by ensuring that security policies are well defined for target audiences, are implemented and monitored, and comply to governmental and other regulations.
To prevent the spread of malicious code and prevent intrusion attacks, a firewall checks incoming and outgoing packets to ensure they are sent by authorized sources and applications. The firewall should close commonly unused ports, allowing only necessary traffic through the network, which can stop malicious code that may attempt to exploit unprotected ports. The firewall may also monitor traffic patterns to determine, or to help administration determine, malicious activity.
A firewall needs to be a combination of hardware and software solution to monitor and moderate the packet traffic of the organization's network. This includes traffic between network services and services outside the local site, and works to limit attacks or threats to the network. The firewall's three primary goals are to provide security to the network, protection for users of the network, and provide a centralized, perimeter security for the network.
A firewall with multi-layered approach and stateful packed filtering should be utilized in securing a network. Application services, encryption, proxies, packet filtering and Network Address Translation (NAT) encompass a multi-layered OSI model. Stateful packet filtering is superior to stateless packet filtering, because the data contained in the packet is examined and information about the state of the connection between the client and server is cached.
To prevent the spread of malicious code and prevent intrusion attacks, a proxy server checks the data portion of packets passing through the firewall to determine whether the traffic should be allowed or denied. The proxy server reshapes the data packets to edit the IP information to hide the internal network source from outside sources. This way all communications from inside the network to hosts outside the network appear to come from one source, the proxy server.
Proxy servers scan the entire data part of IP packets instead of just the header information scanned by packet filters. This allows proxy servers the ability to log more information than standard packet filters. Packets that match the proxy server's rules are rebuilt with new source IP information. This shields internal hosts from outside hosts when the packets are passed through.
Hosts on the internal network and hosts outside the network are never directly connected. Attacks using mangled packets of data never reach the host because the proxy server rebuilds all packets. If the proxy server fails, then all network communications cease. This is unlike when a packet filter fails, possibly allowing traffic to pass through unfiltered.
Packet Filtering and Encryption
Without encryption, a malicious user or hacker may use a valid session packet from one host and send invalid packet data to another host. This process may disable the host, due to the invalid commands sent in the modified packet. With encryption, the data packet is effectively concealed from outside sources, and the destination host only accept valid packets that can be properly deciphered. This often deters hackers from attacking firewalls that use encryption.
Encrypting the packets require extra CPU processing, in addition to all of the other services the server is providing. Some algorithms also require encrypted packets to be padded to a uniform length to work effectively. Encrypting data helps to ensure the integrity of the data that is passed along, to make sure it is not modified by an outside source. Also, encrypting the data helps to ensure confidentiality, so that only the intended recipients are able to read the data properly.
Two hosts may confirm each other's identity by using encrypted codes in digital signatures, public keys and private keys. Digital certificates transport the encrypted public keys and private keys between hosts through the firewall. Public keys are exchanged with anyone that the host wants to be recognized by. Private keys are used to match and decrypt data that was encrypted using the public key.
In symmetric encryption methods, both hosts use a private key. Every host using symmetric encryption must have a private key for each additional host it has a secure connection to. Asymmetric encryption methods allow a public key to be shared to every host, requiring only one private key on each host for a secure connection between hosts.
Remote Connections (VPN)
A Virtual Private Network (VPN) is allows a private network to appear to a remote client. The following table lists some of the major points comparing both PPTP and L2TP/IPsec protocols for use in VPN services. The major differences being that PPTP may be more widely supported in older systems because it uses TCP/IP and may be easier to setup, however L2TP/IPsec may be more secure because it uses newer security protocols supported by the client's current network setup.
Point-to-Point Tunneling Protocol
Internet Protocol Security over Layer 2 Tunneling Protocol
RFC 2637, Not IETF standardized
IETF RFC 3193, IETF standardized
TCP port 1723 for tunnel
UDP port 1701 for tunnel
Older, more supported by older systems
Newer, less supported by older systems
TCP/IP network protocol that encapsulates IP, IPX, or NetBIOS Enhanced User Interface (NetBEUI) protocols
Similar to PPTP but uses UDP, and therefore can be used over asynchronous transfer mode (ATM), Frame Relay, and X.25 networks
Allows non-TCP/IP, or multiprotocol, network activity over the Internet (or similar networks)
Used with IPSec protocol for securing Internet Protocol (IP) network traffic, to provide a fully secured network link
Can provide user authentication, access control, and the opportunity to apply dial-up profiles to carefully restrict certain types of remote access use by specific users
IPSec provides complete security between two computers, so that no section of the connection is insecure
Provides an internal address configuration to the remote client, so they can participate on the internal network as if they were directly connected
Configured using IPSec policies containing a number of security rules, each one specifying a certain type of traffic with filters
Provides compression and options for standard and strong RC4 (symmetric stream cipher encryption for the traffic that is carried inside the tunnel)
First does a security negotiation, using certificates for authentication, between client and VPN server for L2TP traffic; Then provides authentication using a user account and password or using a user certificate